1.4 Installing the WebLogic Agent

The installation program does not configure the agent so that it can automatically import into the Access Manager Administration Console. For the WebLogic Agent, installation is a two part process.

1.4.1 Linux Installation

  1. Verify that the machine meets the minimum requirements. See Section 1.1.3, WebLogic Agent Requirements.

  2. Download the agent from Novell.

  3. Untar the file.

  4. Change to the Access Manager directory.

  5. At the command prompt of the Access Manager directory, enter the following:

    ./install.sh

  6. Review and accept the License Agreement.

  7. Enter the IP address of the Administration Console machine.

  8. Enter the name of the administrator for the Administration Console.

  9. Enter and confirm the password for this administrator.

    This starts the installation of some components.

  10. When prompted, enter the base directory of the application server.

    This is the directory where you installed the WebLogic server.

    A few more modules are installed and then configured.

  11. Configure the agent so that it imports into the Administration Console. See Section 1.4.3, Configuring for Auto Import.

1.4.2 Windows Installation

  1. Verify that the machine meets the minimum requirements. See Section 1.1.3, WebLogic Agent Requirements.

  2. Download the agent from Novell.

  3. Execute the file.

  4. Read the welcome information, then click Next.

  5. Note where additional Access Manager information can be found, then click Next.

  6. Review the License Agreement, accept it, then click Next.

  7. Specify where you want the WebLogic Agent installed.

    The default directory is c:\Novell. WebLogic does not deal well with spaces in directory names, so if possible do not use a space in the directory name (such as Program Files).

  8. Select to install the WebLogic Agent.

    If the installation program cannot detect that you have installed a WebLogic server on the machine where you are installing the agent, you are notified of this condition. You can install the WebLogic server after you have installed the agent.

  9. Enter the information required for server communication between the agent and the Administration Console. Fill in the following fields and carefully review your information:

    Administration Console Admin Username: Specify the username of the admin user of the Administration Console.

    Administration Console Admin Password: Specify the password for the admin user of the Administration Console. Confirm the password by re-entering it.

    Administration Console IP Address: Specify the IP address of your Administration Console.

    IP Address of the Application Server: Review the entered address. If your server is configured for more than one IP address, make sure the one you want to use is specified in this box.

  10. Click Next, then review the installation summary.

  11. To install the agent, click Install.

  12. When the installation has finished, review the logs to see if you need to remove any sensitive data.

  13. Click Next, then Done.

    A browser appears with the J2EE installation documentation displayed.

  14. Configure the agent so that it imports into the Administration Console. See Section 1.4.3, Configuring for Auto Import.

1.4.3 Configuring for Auto Import

The WebLogic installation program installs the files, but it does not configure either the nesp.ear application or the JAAS module so that the WebLogic J2EE Agent can automatically import into the Administration Console. To enable the import, complete the following:

Configuring the CLASSPATH

  1. Determine the following paths on your machine:

    • WL_HOME: The WebLogic home path, which defaults to /root/bea/weblogic92 in Linux and C:\bea\weblogic92 in Windows.

    • WL_DOMAIN: The domain home path, which defaults to /root/bea/user_projects/domains/base_domain in Linux and C:\bea\user_projects\domains\base_domain in Windows.

    • AGENT_HOME: The Agent install location, which defaults to /opt/novell/nids_agents/lib in Linux and C:\Novell in Windows.

  2. Copy the NidsWebLogicAgentMBeans.jar from the AGENT_HOME/lib directory to the WL_HOME/server/lib/mbeantypes directory.

    This jar contains the Novell Access Manager Authentication Provider for WebLogic as well as the JACC provider.

  3. Edit the common environment variable file:

    • Linux: For the Linux platform, edit the WL_HOME/common/bin/commEnv.sh file and add the lines below to the end of the script:

      #Novell J2EE Agent Settings
AGENT_LIB="/opt/novell/nids_agents/lib"

WEBLOGIC_CLASSPATH="${AGENT_LIB}/xml-apis.jar/${PATHSEP}${AGENT_LIB}/xercesImpl.jar${PATHSEP}${AGENT_LIB}/xalan.jar${PATHSEP}${AGENT_LIB}/serializer.jar${PATHSEP}${WEBLOGIC_CLASSPATH}${PATHSEP}${AGENT_LIB}/NidsCommonAgent.jar${PATHSEP}${AGENT_LIB}/NidsWebLogicAgent.jar${PATHSEP}${AGENT_LIB}/LogEvent.jar${PATHSEP}${AGENT_LIB}/jcc.jar${PATHSEP}${AGENT_LIB}/nxpe.jar${PATHSEP}${AGENT_LIB}/nxpe-toolkit.jar${PATHSEP}${AGENT_LIB}/commons-jxpath-1.2.jar"
export WEBLOGIC_CLASSPATH

#Set library path to /usr/lib so the Agent can Audit Events.
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib

      The WEBLOGIC_CLASSPATH value needs to be added to the file without adding line breaks or spaces.

    • Windows: For the Windows platform, edit the WL_HOME\common\bin\commEnv.cmd file and add the following lines to the bottom. Modify AGENT_LIB to point AGENT_HOME/lib:

      @rem Novell J2EE Agent Settings
set AGENT_LIB=C:\novell\lib
set WEBLOGIC_CLASSPATH=%AGENT_LIB%\xml-apis.jar;%AGENT_LIB%\xercesImpl.jar;%AGENT_LIB%\xalan.jar;%AGENT_LIB%\serializer.jar;%WEBLOGIC_CLASSPATH%;%AGENT_LIB%\NidsCommonAgent.jar;%AGENT_LIB%\NidsWebLogicAgent.jar;%AGENT_LIB%\LogEvent.jar;%AGENT_LIB%\jcc.jar;%AGENT_LIB%\nxpe.jar;%AGENT_LIB%\nxpe-toolkit.jar;%AGENT_LIB%\commons-jxpath-1.2.jar

      The WEBLOGIC_CLASSPATH value needs to be added to the file without adding line breaks or spaces.

  4. Save the changes.

Configuring the JACC Provider

  1. Edit the domain environment variable file.

    • Linux: 1. For the Linux platform, edit the WL_DOMAIN/bin/setDomainEnv.sh file and add the following lines to the end of the script. The JAVA_OPTIONS need to be copied into the file with no line breaks.

      # Java Properties for Novell Access Manager JACC Provider
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.manager -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy -Djavax.security.jacc.policy.provider=com.novell.nids.agent.policy.weblogic.WebLogicPolicy -Djavax.security.jacc.PolicyConfigurationFactory.provider=com.novell.nids.agent.policy.weblogic.WebLogicPolicyConfigurationFactory -Dweblogic.security.jacc.RoleMapperFactory.provider=com.novell.nids.agent.policy.weblogic.WebLogicRoleMapperFactory -Dweblogic.net.http.URLStreamHandlerFactory=com.novell.nids.agent.util.JsseURLStreamHandlerFactory"
export JAVA_OPTIONS

    • Windows: For the Windows platform, edit WL_DOMAIN\bin\setDomainEnv.cmd and add the following lines to the end of the file. If you installed the Agent into a directory other than C:\Novell, update the Djcc.dir option. The set command needs to be copied into the file with no line breaks.

      @REM Java Properties for Novell Access Manager JACC Provider

set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.manager -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy -Djavax.security.jacc.policy.provider=com.novell.nids.agent.policy.weblogic.WebLogicPolicy -Djavax.security.jacc.PolicyConfigurationFactory.provider=com.novell.nids.agent.policy.weblogic.WebLogicPolicyConfigurationFactory -Dweblogic.security.jacc.RoleMapperFactory.provider=com.novell.nids.agent.policy.weblogic.WebLogicRoleMapperFactory -Djcc.dir=C:\Novell\devman\jcc -Dweblogic.net.http.URLStreamHandlerFactory=com.novell.nids.agent.util.JsseURLStreamHandlerFactory

  2. Edit the WL_HOME/server/lib/weblogic.policy file and add the following lines to the end of the script:

    grant {
      permission java.security.AllPermission;
};

    For information on why we grant Java 2 permission to everything, see Understanding the Permission Configuration for JACC.

  3. Continue with Configuring Log In

Configuring Log In

To configure log in, you can use either the WebLogic Administration Console or a script:

Using a Script to Configure Log In

  1. Start WebLogic.

  2. Execute the WebLogic scripting tool. Specify the command appropriate for the platform:

    Linux: WL_HOME/common/bin/wlst.sh

    Windows: WL_HOME\common\bin\wlst.cmd

  3. To the command, add the appropriate parameters to execute the weblogic_config.jy script. Separate each parameter with a space. Running the script without additional parameters prints the required parameters.

    Parameter

    Possible Value

    Description

    WebLogic administrator username

    weblogic

    The name of the administrator that you specified when you installed WebLogic.

    WebLogic administrator password

    password

    The password for the specified user.

    Domain name

    base_domain

     

    Server name

    AdminServer

    By default, WebLogic names the server AdminServer. If you changed this name during installation, specify your name.

    Hostname and port

    localhost:7001

    The host and port are separated with a colon.

    Linux Example: /opt/bea/weblogic92/common/bin/wlst.sh /opt/novell/nids_agents/bin/weblogic_config.jy weblogic password base_domain AdminServer localhost:7001

    Windows Example: C:\bea\weblogic92\common\bin\wlst.cmd C:\Novell\bin\weblogic_config.jy weblogic password base_domain AdminServer localhost:7001

  4. Use the WebLogic scripting tool to execute the weblogic_nesp_deploy.jy script. Separate each parameter with a space. Running the script without additional parameters prints the required parameters.

    Parameter

    Possible Value

    Description

    WebLogic administrator username

    weblogic

    The name of the administrator that you specified when you installed WebLogic.

    WebLogic administrator password

    password

    The password of the specified user.

    Server name

    AdminServer

    By default, WebLogic names the server AdminServer. If you changed this name during installation, specify your name.

    Hostname and port

    localhost:7001

    The host and port are separated with a colon.

    Path and filename of the nesp.ear application

    /root/temp/nesp.ear

    or

    C:\Novell\nesp.ear

    The path to the application depends upon whether you are configuring Linux or Windows.

    Linux Example: /opt/bea/weblogic92/common/bin/wlst.sh /opt/novell/nids_agents/bin/weblogic_nesp_deploy.jy weblogic password AdminServer localhost:7001 /root/temp/nesp.ear

    Windows Example: C:\bea\weblogic92\common\bin\wlst.cmd C:\Novell\bin\weblogic_nesp_deploy.jy weblogic password AdminServer localhost:7001 C:\Novell\nesp.ear

  5. Restart the WebLogic server.

    The agent should import into Access Manager Administration Console when the WebLogic server starts. Before restarting the WebLogic server, decide whether you want to deploy the Payroll application to test the agent. See Deploying the Example Payroll Application.

  6. The J2EE Agent must be configured before users can access resources. See Section 2.0, Configuring the Agent for Authentication.

Using the WebLogic Administration Console

In the WebLogic Administration Console, you need to complete the following tasks:

Configuring the JAAS Login Module

  1. Start WebLogic.

  2. In a browser, log in to the WebLogic Administration console:

    http://<weblogic ip>:7001/console

    Replace <weblogic ip> with the IP address or DNS name of your WebLogic Administration Console.

  3. In the Domain Structure list, click Security Realms.

  4. Click the default realm (myrealm).

  5. Click the Providers tab.

  6. In the top right corner, click Lock and Edit.

  7. In the Authentication Providers list, click New.

  8. Specify a name in the name field, select NovellAccessManagerAuthenticator for the type, then click OK.

  9. In the Authentication Providers list, click DefaultAuthenticator and change the Control Flag from Required to Sufficient.

  10. Return to the Authentication Providers list.

  11. Change the NovellAccessManagerAuthenticator > Control Flag to Sufficient.

  12. Click Activate Changes.

    Wait until you have deployed the nesp.ear file before restarting the WebLogic server.

  13. Continue .

Deploying the nesp.ear Application

The nesp.ear application is a required component of the J2EE Agent.

  1. In the WebLogic Administration console, click Deployments in the Domain Structure list.

  2. Click Lock and Edit.

  3. Click Install.

  4. In the location field, click the server.

  5. Browse to the directory containing the nesp.ear application.

  6. Click the radio button next to the nesp.ear application.

  7. Click Next.

  8. Select Install this deployment as an application, then click Next.

  9. Accept the default settings, then click Finish.

  10. Click Activate Changes.

  11. Start nesp by selecting the nesp application, clicking Start and selecting Servicing All Requests. Click Yes when asked if you want to start the deployment.

  12. Log out and restart the WebLogic server.

    The agent should import into Access Manager Administration Console when the WebLogic server starts. Before restarting the WebLogic server, decide whether you want to deploy the Payroll application to test the agent. See Deploying the Example Payroll Application.

  13. The J2EE Agent must be configured before users can access resources. See Section 2.0, Configuring the Agent for Authentication.

Deploying the Example Payroll Application

Whenever you deploy a new application, you need to restart the WebLogic server. To deploy the payroll application, use the same process that you used for the nesp.ear application. See .

  1. Use the following values:

    • Location: The PayrollApp.ear application is located in /opt/novell/nids_agents/examples directory on Linux and <Install_Directory>\sampleapp directory on Windows.

    • Type: When prompted, select Install this deployment as an application.

  2. To start the Payroll application, click Activate Changes.

  3. Restart the WebLogic server.

  4. The J2EE Agent must be configured before users can access resources. See Section 2.0, Configuring the Agent for Authentication.

Understanding the Permission Configuration for JACC

When you enable JACC, WebLogic requires that you enable Java 2 Security with the -Djava.security.manager option. Java 2 Security uses the weblogic.policy file to determine access to resources. In addition, you should be able to specify permissions inside the weblogic-ejb-jar.xml and weblogic.xml files for deployed applications.

There appears to be a bug in WebLogic 9.2 because even the Administration Console application does not function with the default permissions in the weblogic.policy file. In addition, if you look at the weblogic.xml deployment descriptor for the console application, it has the lines:

grant {
     java.security.AllPermission
};

This should configure the console application so that it does not have any issues with Java 2 permissions, but when you enable the security manager, the console does indeed have some problems with permissions.

This bug also prevents some of the permissions for the agent to be explicitly set. The only workaround Novell has found is to grant Java 2 permissions to everything. This should not add any additional security risk than running WebLogic without the security manager enabled, which is the default configuration for WebLogic.